ClawHub

Agent Swarm - 多智能体集群编排

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-agent orchestration skill, but it gives agents powerful execution and persistence abilities with weak safeguards around memory reuse, filesystem scope, cron automation, and deletion.

Install only if you want a high-trust multi-agent environment. Before using it, narrow the default tool grants, especially automator cron/browser/exec access; keep agent workspaces under a dedicated directory; avoid logging secrets or personal data into experience memory; treat stored experience as untrusted; and avoid --no-backup deletion unless you have verified the exact path and have your own backup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises substantial file read/write and execution-oriented behavior, but does not declare corresponding permissions or safety boundaries. This creates a capability transparency problem: users and reviewers may not realize the skill can modify workspace files, initialize agent directories, or persist state, increasing the chance of unsafe invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is agent orchestration, but the file also includes local agent lifecycle management, persistent memory handling, experience injection, and workspace initialization. This mismatch is dangerous because users may invoke the skill expecting ephemeral task routing while it also performs broader stateful system changes and prompt-shaping behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Agent-management commands that add, remove, back up, and update agent configurations exceed normal task orchestration and enable durable changes to the agent environment. If misused, they can reconfigure future agent behavior, delete configurations, or introduce unsafe templates without the user recognizing the persistence of those effects.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill introduces persistent cross-task memory logging and later reinjects stored experience into future prompts. This creates a prompt-injection persistence channel where unsafe or attacker-controlled content can survive one task and influence later tasks, potentially across contexts and users.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code supports permanent deletion of agent directories via `shutil.rmtree(agent_path)` when `--no-backup` is used. Because `agent_id` is joined into a filesystem path without validation or confinement checks, an operator or calling component could delete unintended directories if path traversal values are accepted, making the destructive capability more dangerous than a simple admin convenience.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code constructs file paths directly from user-controlled `base_path` and `agent_id` and then creates directories and writes files without validation. In practice this allows path traversal or arbitrary file write within the permissions of the running process, which is more serious than ordinary logging because it can overwrite unrelated application data or plant attacker-controlled content in sensitive locations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly supports setting cron-based automation but does not require warning, confirmation, or discussion of persistent system changes. Scheduled tasks can continue running after the current interaction, causing ongoing execution, repeated network access, or unintended resource consumption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide shows an `apiKey` field with a literal placeholder in a persistent config example but gives no guidance on secret storage, file permissions, or avoiding committing credentials to disk. In a setup guide for a multi-agent platform, this can normalize unsafe handling of provider keys and increase the chance of credential leakage through dotfiles, backups, or source control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `--no-backup` path performs irreversible deletion with no confirmation, no audit log, and no safeguard beyond a command-line flag. In an agent-management context where directories contain prompts, configuration, and memory, accidental or misuse-driven deletion can cause immediate data loss and operational disruption.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The logger persists arbitrary experience and task content to disk automatically, but the CLI and file behavior provide no warning, consent flow, or redaction safeguards. In an agent environment this can silently retain sensitive task data, secrets, or personal information longer than users expect, increasing exposure if the host is shared or later compromised.

Unvalidated Output Injection

High
Category
Output Handling
Content
```python
# 获取历史经验
import subprocess
result = subprocess.run(
    ["python3", "scripts/experience_logger.py", "inject", "researcher", "--limit", "5"],
    capture_output=True, text=True
)
Confidence
97% confidence
Finding
subprocess.run( ["python3", "scripts/experience_logger.py", "inject", "researcher", "--limit", "5"], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal